diff --git a/docs/bsd.txt b/docs/bsd.txt index 7140341..95703ef 100644 --- a/docs/bsd.txt +++ b/docs/bsd.txt @@ -373,3 +373,19 @@ start-fw создает 3 файла anchors в /etc/pf.anchors : zapret,zapret- Таблицы zapret6,zapret6-user - в anchor "zapret-v6". Если какая-то версия протокола отключена - соответствующий anchor пустой и не упоминается в anchor "zapret". Таблицы и правила создаются только на те листы, которые фактически есть в директории ipset. + + +MacOS вариант custom +-------------------- + +Так же как и в других системах, поддерживаемых в простом инсталяторе, можно создавать свои custom скрипты. +Расположение : /opt/zapret/init.d/macos/custom + +zapret_custom_daemons() получает в $1 "0" или "1". "0" - stop, "1" - start +custom firewall отличается от linux варианта. +Вместо заполнения iptables вам нужно сгенерировать правила для zapret-v4 и zapret-v6 anchors и выдать их в stdout. +Это делается в функциях zapret_custom_firewall_v4() и zapret_custom_firewall_v6(). +Определения таблиц заполняются основным скриптом - вам это делать не нужно. +Можно ссылаться на таблицы zapret и zapret-user в v4, zapret6 и zapret6-user. + +Cм. пример в файле custom-tpws diff --git a/init.d/macos/custom b/init.d/macos/custom new file mode 100644 index 0000000..e00e1c8 --- /dev/null +++ b/init.d/macos/custom @@ -0,0 +1,21 @@ +# this script contain your special code to launch daemons and configure firewall +# use helpers from "functions" file +# in case of upgrade keep this file only, do not modify others + +zapret_custom_daemons() +{ + # $1 - 1 - run, 0 - stop + : +} + +# custom firewall functions echo rules for zapret-v4 and zapret-v6 anchors +# they come after automated table definitions. so you can use ... + +zapret_custom_firewall_v4() +{ + : +} +zapret_custom_firewall_v6() +{ + : +} diff --git a/init.d/macos/custom-tpws b/init.d/macos/custom-tpws new file mode 100644 index 0000000..c32d5cb --- /dev/null +++ b/init.d/macos/custom-tpws @@ -0,0 +1,25 @@ +# this script is an example describing how to run tpws on a custom port + +TPPORT_MY=987 + +zapret_custom_daemons() +{ + # $1 - 1 - run, 0 - stop + local opt="--user=root --port=$TPPORT_MY" + filter_apply_hostlist_target opt + tpws_apply_binds opt + opt="$opt $TPWS_OPT" + do_daemon $1 1 "$TPWS" "$opt" +} + +# custom firewall functions echo rules for zapret-v4 and zapret-v6 anchors +# they come after automated table definitions. so you can use ... + +zapret_custom_firewall_v4() +{ + pf_anchor_zapret_v4_tpws $TPPORT_MY +} +zapret_custom_firewall_v6() +{ + pf_anchor_zapret_v6_tpws $TPPORT_MY +} diff --git a/init.d/macos/functions b/init.d/macos/functions index 1439b36..a572df2 100644 --- a/init.d/macos/functions +++ b/init.d/macos/functions @@ -20,6 +20,14 @@ PF_ANCHOR_ZAPRET_V6="$PF_ANCHOR_DIR/zapret-v6" [ -n "$IFACE_WAN" ] && OWAN=" on $IFACE_WAN" +CUSTOM_SCRIPT="$ZAPRET_BASE/init.d/macos/custom" +[ -f "$CUSTOM_SCRIPT" ] && . "$CUSTOM_SCRIPT" + +existf() +{ + type "$1" >/dev/null 2>/dev/null +} + on_off_function() { # $1 : function name on @@ -220,46 +228,72 @@ pf_anchor_port_target() echo "80" fi } +pf_anchor_zapret_v4_tpws() +{ + # $1 - port + + local port=$(pf_anchor_port_target) + [ -n "$IFACE_LAN" ] && { + for t in $tbl; do + echo "rdr on $IFACE_LAN inet proto tcp from any to $t port $port -> 127.0.0.1 port $1" + done + } + echo "rdr on lo0 inet proto tcp from !127.0.0.0/8 to any port $port -> 127.0.0.1 port $1" + for t in $tbl; do + echo "pass out$OWAN route-to (lo0 127.0.0.1) inet proto tcp from !127.0.0.0/8 to $t port $port user { >root }" + done +} + pf_anchor_zapret_v4() { local tbl port - [ "$DISABLE_IPV4" = "1" ] || { - [ "$MODE" = "tpws" ] && { - [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return - pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST" - port=$(pf_anchor_port_target) - for t in $tbl; do - [ -n "$IFACE_LAN" ] && echo "rdr on $IFACE_LAN inet proto tcp from any to $t port $port -> 127.0.0.1 port $TPPORT" - done - echo "rdr on lo0 inet proto tcp from !127.0.0.0/8 to any port $port -> 127.0.0.1 port $TPPORT" - for t in $tbl; do - echo "pass out$OWAN route-to (lo0 127.0.0.1) inet proto tcp from !127.0.0.0/8 to $t port $port user { >root }" - done - } + case $MODE in + tpws) + [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return + pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST" + pf_anchor_zapret_v4_tpws $TPPORT + ;; + custom) + pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST" + existf zapret_custom_firewall_v4 && zapret_custom_firewall_v4 + ;; + esac } } +pf_anchor_zapret_v6_tpws() +{ + # $1 - port + + local port=$(pf_anchor_port_target) + # LAN link local is only for router + [ -n "$IFACE_LAN" ] && LL_LAN=$(get_ipv6_linklocal $IFACE_LAN) + [ -n "$LL_LAN" ] && { + for t in $tbl; do + echo "rdr on $IFACE_LAN inet6 proto tcp from any to $t port $port -> $LL_LAN port $1" + done + } + echo "rdr on lo0 inet6 proto tcp from !::1 to any port $port -> fe80::1 port $1" + for t in $tbl; do + echo "pass out$OWAN route-to (lo0 fe80::1) inet6 proto tcp from !::1 to $t port $port user { >root }" + done +} pf_anchor_zapret_v6() { local tbl port LL_LAN [ "$DISABLE_IPV6" = "1" ] || { - [ "$MODE" = "tpws" ] && { - [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return - - # LAN link local is only for router - [ -n "$IFACE_LAN" ] && LL_LAN=$(get_ipv6_linklocal $IFACE_LAN) - - pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6" - port=$(pf_anchor_port_target) - for t in $tbl; do - [ -n "$LL_LAN" ] && echo "rdr on $IFACE_LAN inet6 proto tcp from any to $t port $port -> $LL_LAN port $TPPORT" - done - echo "rdr on lo0 inet6 proto tcp from !::1 to any port $port -> fe80::1 port $TPPORT" - for t in $tbl; do - echo "pass out$OWAN route-to (lo0 fe80::1) inet6 proto tcp from !::1 to $t port $port user { >root }" - done - } + case $MODE in + tpws) + [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return + pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6" + pf_anchor_zapret_v6_tpws $TPPORT + ;; + custom) + pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6" + existf zapret_custom_firewall_v6 && zapret_custom_firewall_v6 + ;; + esac } } pf_anchors_create() @@ -330,7 +364,7 @@ zapret_do_firewall() # $1 - 1 - add, 0 - del case "${MODE}" in - tpws|filter) + tpws|filter|custom) if [ "$1" = "1" ] ; then pf_anchor_root || return 1 pf_anchors_create @@ -384,6 +418,9 @@ zapret_do_daemons() ;; filter) ;; + custom) + existf zapret_custom_daemons && zapret_custom_daemons $1 + ;; *) echo "unsupported MODE=$MODE" return 1 diff --git a/install_easy.sh b/install_easy.sh index d5902d4..9d598d4 100755 --- a/install_easy.sh +++ b/install_easy.sh @@ -292,7 +292,7 @@ write_config_var() select_mode_mode() { local MODES="tpws nfqws filter custom" - [ "$SYSTEM" = "macos" ] && MODES="tpws filter" + [ "$SYSTEM" = "macos" ] && MODES="tpws filter custom" echo echo select MODE : ask_list MODE "$MODES" tpws && write_config_var MODE @@ -540,7 +540,7 @@ backup_restore_settings() { # $1 - 1 - backup, 0 - restore local mode=$1 - on_off_function _backup_settings _restore_settings $mode "config" "init.d/sysv/custom" "init.d/openwrt/custom" "ipset/zapret-hosts-user.txt" "ipset/zapret-hosts-user-exclude.txt" "ipset/zapret-hosts-user-ipban.txt" + on_off_function _backup_settings _restore_settings $mode "config" "init.d/sysv/custom" "init.d/openwrt/custom" "init.d/macos/custom" "ipset/zapret-hosts-user.txt" "ipset/zapret-hosts-user-exclude.txt" "ipset/zapret-hosts-user-ipban.txt" } check_location() @@ -1176,17 +1176,21 @@ service_start_macos() } macos_fw_reload_trigger_clear() { - [ "$MODE" = "tpws" ] && { - LISTS_RELOAD= - write_config_var LISTS_RELOAD - } + case "$MODE" in + tpws|custom) + LISTS_RELOAD= + write_config_var LISTS_RELOAD + ;; + esac } macos_fw_reload_trigger_set() { - [ "$MODE" = "tpws" ] && { - LISTS_RELOAD="$INIT_SCRIPT_SRC reload-fw-tables" - write_config_var LISTS_RELOAD - } + case "$MODE" in + tpws|custom) + LISTS_RELOAD="$INIT_SCRIPT_SRC reload-fw-tables" + write_config_var LISTS_RELOAD + ;; + esac } install_macos()